Author: The Safe Systems Compliance Team

  • Home
  • The Safe Systems Compliance Team
20 Oct 2020
Reading Between the Lines The Safe Systems Compliance Team 0 comment

Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more material changes here, but we’re starting to see examiner scrutiny into not just if, but exactly what and how you’re testing.

According to the Handbook:

  • “An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures.”
  • “A test is a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment.”

Essentially, “…the distinction between the two is that exercises address people, processes, and systems whereas tests address specific aspects of a system.” Simply put, think of an exercise as a scenario-based simulation of your written process recovery procedures (a table-top exercise, for example), and a test as validation of the interdependencies of those processes, such as data restoration or circuit fail-over.

The new guidance makes it clear that you must have a comprehensive program that includes both exercises and tests, and that the primary objective should be to validate the effectiveness of your entire business continuity program. In the past, most FI’s have conducted an annual table-top or structured walk-through test, and that was enough to validate their plan. It now seems that this new differentiation requires multiple methods of validation of your recovery capabilities. Given the close integration between the various internal and external interdependencies of your recovery procedures, this makes perfect sense.

An additional consideration in preparing for future testing is the increased focus on resiliency, defined as any proactive measures you’ve already implemented to mitigate disruptive events and enhance your recovery capabilities. The term “resiliency” is used 126 times in the new Handbook, and you can bet that examiners will be looking for you to validate your ability to withstand as well as recover in your testing exercises. Resilience measures can include fire suppression, auxiliary power, server virtualization and replication, hot-site facilities, alternate providers, succession planning, etc.

One way of incorporating resilience capabilities into future testing is to evaluate the impact of a disruptive event after consideration of your internal and external process interdependencies and accounting for any existing resilience measures. For example, let’s say your lending operations require 3 external providers and 6 internal assets, including IT infrastructure, scanned documents, paper documents, and key employees. List any resilience capabilities you already have in place, such as recovery testing results from your third-parties, data replication and restoration, and cross-training for key employees, then evaluate what the true impact of the disruptive event would be in that context.

In summary, conducting both testing and exercises gives all stakeholders a high level of assurance that you’ve thoroughly identified and evaluated all internal and external process interdependencies, built resilience into each component, and can successfully restore critical business functions within recovery time objectives.

30 Sep 2020
Ask the Guru – Can We Apply Similar Controls to Satisfy Both GLBA and GDPR
Ask the Guru The Safe Systems Compliance Team 0 comment

Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Hey Guru!

Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for the protection of data extends equally to both Confidential PII and the narrow data type called out by GDPR.

Hi Steve, and thanks for the question! Comparing Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) is instructive as they both try to address the same challenge; privacy and security. Specifically, protecting information shared between a customer and a service provider. GLBA is specific to financial institutions, while GDPR defines a “data processor” as any third-party that processes personal data. However, they both have a very similar definition of the protected data. GDPR uses the term “personal data” as any information that relates to an individual who can be directly or indirectly identified, and GLBA uses the term non-public personal information (or NPI) to describe the same type of data.

To answer the question of whether the two are similar enough to apply the same or similar set of layered controls, my short answer is since using layering controls is a risk mitigation strategy best practice, it would apply equally to both.

Here’s a bit more. The most important distinction between GLBA and GDPR is that GLBA has two sections; 501(a) and 501(b). The former establishes the right to privacy and the obligation that financial institutions must protect the security and confidentiality of customer NPI. 501(b) empowers the regulators to require FI’s to establish safeguards to protect against any threats to NPI. Simply put, 501(a) is the “what”, and 501(b) is the “how”. Of course, the “how” has given us the 12 FFIEC IT Examination Handbooks, cybersecurity regulations, PEN tests, the IT audit, and lots of other stuff with no end in sight.

By contrast, GDPR is more focused on “what” (what a third-party can and can’t do with customer data, as well what the customer can control; i.e. right to have their data deleted, etc.) and much less on the “how” it is supposed to be done.

My understanding is that the scope of GLBA (and all the information security standards based thereon) is strictly limited to customer NPI, it does not expend to confidential or PII. One distinguishing factor between NPI and PII is that in US regulations NPI always refers to the “customer”, and PII always refers to the “consumer”. (Frankly there isn’t really any difference between data obtained from a customer or consumer by a financial institution during the process of either pursuing or maintaining a business relationship.) We have always taken the position that for the purposes of data classification, NPI and confidential (PII) data share the same level of sensitivity, but guidance is only concerned about customer NPI. GDPR does not make that distinction.

In my opinion, our federal regulations will move towards merging NPI and PII, and in fact some states are already there. So, although it’s not strictly a requirement to protect anything other than NPI, it’s certainly a best practice, and combining both NPI and PII / confidential data in the same data sensitivity classification will do that.

One last thought about enforcement… So far, we have not heard of US regulators checking US based FI’s for GDPR compliance, but since our community-based financial institutions have very little EU exposure, your experience may be different.

05 Aug 2020
Reading Between the Lines
Reading Between the Lines The Safe Systems Compliance Team 0 comment

Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19

On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020

This statement this is only one of several interagency statements issued since the start of the Covid-19 Pandemic outlining supervisory principles examiners will use to guide their safety and soundness examinations in the context of this event. Simply put, this statement makes it clear that regulators expect financial institutions to take prudent actions and make reasonable accommodations to address the impact of the event on their customers (and by extension, on themselves).

The focus on this post is on what may be less clear, because ambiguity opens the door to interpretation, and differences of opinion between management and regulators are where the most contentious examination findings occur. We’re going to look at a few passages that caught my eye, and discuss how to interpret them and what specific action to take. We’ll focus on the Management section starting on page 9. The first few sentences state that:

Examiners should evaluate the extent to which management factors the results of these efforts into its longer-term business strategy. Strategies could evolve throughout the local and national recovery. Institutions may be compelled to reconsider branching, mergers, or other expansions.

Interpretation and actions to be taken

This one is pretty straightforward. When the dust settles from this event, examiners will be asking you to see specific changes you’ve made to your strategic planning based on the lessons-learned. Not if you’ve made adjustments to strategy, but what you’ve done to respond. Even if no material changes are forthcoming, make sure the Board and senior management meeting minutes reflect your thinking.

The next area we’ll try to read between is right after the previous one:

When rating an institution’s management, examiners will distinguish between problems caused by the institution’s management and those caused by external factors beyond management’s control.

Interpretation and actions to be taken

This relatively short sentence is much trickier to decode because it depends on the definition of “…external factors beyond management’s control.” Does “beyond control” mean beyond the capacity of management to anticipate? Virtually all natural disasters (and most man-made disasters and cyber events) are beyond management’s control, but that doesn’t mean the event should not be foreseen and assessed for probability and impact. In fact the most recent FFIEC BCM Booklet makes no reference to risks beyond management’s control, instead using the term “reasonably foreseeable events”, (including low probability, high impact events, like Pandemic) to describe the scope of events expected to be foreseen and risk-assessed by management. How should we reconcile the two concepts; “external factors beyond management’s control”, and “reasonably foreseeable/anticipated risks”? Again, most threats facing financial institutions today are both beyond management’s control, and reasonably foreseeable. Understanding how to approach this issue is more than an academic exercise, the Management component of your CAMELS rating may be affected by it.

Continuing in the same section:

“…management of an institution with problems largely related to the pandemic may warrant a more favorable rating than management of an institution operating with problems stemming from weak risk management practices that are, or should have been, substantially within the institution’s control.”

Interpretation and actions to be taken

To me this was the most difficult to interpret. Hypothetically, let’s say you’ve encountered credit quality issues largely related to the effects of the Covid-19 Pandemic. No downgrade because it’s outside your control and not a sign of weak management practices. Just retroactively adjust your loan loss reserves and move on. Now, substitute “pandemic” with “major storm”. Let’s says you’ve experienced significant operational problems largely related to the storm. Also outside your control, but regulators will probably take the position that operational issues arising from a natural disaster should have been reasonably foreseen, and your failure to anticipate that is a sign of weak management practices. In this case your Management component will likely take a hit. Both Pandemic and severe weather are very likely addressed in your BCM plan, but the impact of one may be forgivable, while the other is attributed to weak management?

What we think the regulators are saying here is that it’s not the specific event, or problems arising from that event, or even whether or not management foresaw the problems in advance, that regulators really care about. It’s management’s response to the event, whether or not it was within their control, whether or not it was foreseen. That is the core of the issue; how management improvises, adapts, and overcomes.

This brings us back to the beginning and the first “actions to be taken”. This event has been an unprecedented event in both scale and scope, and we believe when the dust settles, examiners will be asking to see your specific adaptations to procedures and processes to ensure continued delivery of financial services. This will include your ability to assess and implement additional controls (including cyber) to “…manage heightened risks related to the adjusted operating environment.”

One last sentence to decipher, and this one may be the easiest to understand:

“…examiners will consider the impacts on the control environment from instances of imprudent cost cutting, insufficient staffing, or delays in implementing needed updates in their assessment of the institution.”

Interpretation and actions to be taken

Self-explanatory. Examiners will take a dim view of cost-cutting even if you can use the Pandemic to rationalize it. Don’t sacrifice your control environment on the altar of saving money. Additionally, this is not the time to cancel or delay projects, stay on track with your initiatives but make any necessary strategic adjustments resulting from the lessons-learned, including new technology and staffing considerations.

In summary, we believe that when all the direct and indirect impact from this event is calculated, it will prove to be no less significant than a major natural disaster or even a recession. The regulators are giving every indication that they think so too, and plan to treat it that way.

30 Mar 2020
Reading Between the Lines
Reading Between the Lines The Safe Systems Compliance Team 0 comment

Reading Between the Lines: Recent Regulatory News

March 30, 2020 – Federal Reserve Statement on Supervisory Activities

Where did it come from, and where can I find it?

Who needs to know about it?

  • All financial institutions supervised by the Federal Reserve

Why was it Issued?

  • To address adjustments in their supervisory approach in light of COVID-19

What does it say?

  • Financial institutions are encouraged to work with customers impacted by COVID-19
  • The Fed will not criticize you for prudent actions taken to accommodate impacted customers
  • The Fed will shift its focus from regular exams, to monitoring your efforts to address the internal and external impact of this issue
  • The Fed is also providing an additional 90 days to remediate any existing supervisory findings

What did it NOT say (but the Guru wants you to know)?

  • The exception to this de-emphasis on regular examination activity is any matter they feel is either urgent or negatively impacts safety and soundness. If you have any outstanding supervisory matters that might fall into those categories (MRA’s, formal or informal enforcement actions), the Guru believes you should stay on your committed timetable for completion of those matters. The timetable for completion was agreed to by your institution and the Federal Reserve based on an assessment of the severity of the findings. Taking additional time to resolve them could conceivably be perceived as having a negative impact on your safety and soundness.
  • Any actions taken to accommodate customers who may be unable to meet their contractual obligations will necessarily result in a higher risk exposure for your institution. Essentially the Federal Reserve is asking you to temporarily increase your credit risk appetite. Document that with the Board, and don’t forget to roll it back to pre-pandemic levels when this is over.
  • Although there may temporarily be less scrutiny on routine regulatory matters, try not to allow yourself to get too far behind in the day-to-day management of IT and vendor management.
23 Mar 2020
Are Banks and Credit Unions Required to Address Your COVID-19 Readiness with Your Customers?
Ask the Guru The Safe Systems Compliance Team 0 comment

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru!

Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online products if they are concerned about coming out in public to the branch. Thanks!

I wouldn’t call it a requirement to post a statement, but it’s definitely a best practice. I could easily see the examiners being just fine with your generic Pandemic planning, but next time they come in asking “what specific steps did you take in reaction to the recent COVID-19 event?”

Lots of generic best practices out there (CDC, etc.), and of course your response would depend on your capabilities (encouraging e-banking vs. face-to-face transactions, and e-signatures for physical signatures on loan documents, for example), but here are some FI-specific resources:

In addition to providing hand sanitizers and wipes in the branches, we’ve also heard of some folks making a point of wiping down their FI-owned ATM keypads (and/or offering wipes to customers for that purpose).
Here are some additional tips we’ve gathered from other financial institutions that may also be useful for you to consider (in no particular order):

  • Plan to restock FI-owned ATMs more frequently, and/or consider temporarily increasing daily withdrawal limits. Keep in mind that if reloading services are outsourced the vendor may be overwhelmed. Also check if your blanket bond insurance coverage needs to be adjusted for the higher limits.
  • Tracking (via log) what employees are entering your buildings each day to create a “contact tracking map” in case someone is diagnosed as a confirmed case.
  • Check HR policies (and communicate same) regarding employees needing to take extended sick leave or requiring additional time off to care for family members. Do you have a “flex-hours” policy for job duties that can be performed off-hours?
  • Is your succession plan at least three resources deep for most functions and possibly four resources deep for highly critical and specialized functions?
  • Depending on your primary demographic, consider creating special hours at certain locations specifically for more vulnerable elderly customers.
  • If you don’t already offer these services, have you considered consumer capture, “Smart” ATMs and other alternatives to face-to-face transactional services?
  • Define banking services that can be completed through drive-thru, and those that require in person interaction (and an appointment). (I.e. Large Cash or Coin Transactions may need to be in-person for security or drive-thru equipment limitations)
  • Consider moving to an “appointment-only” approach for in-person banking services.
  • Consider evaluating your check cashing limits through the drive-thru or requiring additional identify verification.
  • Additional training on remote access hygiene. Does your Information Security Program require these users to sign a remote access agreement?
  • Remind all employees (especially those telecommuting) to continue to be vigilant to the potential uptick in cyber-attacks (phishing, vishing, etc.) and fraud attempts.
  • Law360 shares good information regarding cyber hygiene when telecommuting: https://www.law360.com/articles/1250758/as-covid-19-increases-remote-work-cyberhygiene-is-a-must

We have posted on this already and will likely be offering some additional best practices for bankers at both complianceguru.com and safesystems.com.

Hope all this helps. Stay tuned, and stay healthy out there!!

11 Mar 2020
Kids Wearing Mask to Combat Cornavirus
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Issues Statement on Pandemic Planning

Background

Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency Statement on Pandemic Planning in response to the current COVID-19 epidemic. Similar to the Destructive Malware statement, this statement does not impose any additional regulatory expectations on financial institutions, it’s intended instead to “…remind financial institutions that business continuity plans should address the threat of a pandemic outbreak and its potential impact on the delivery of critical financial services.” It is actually an update to the 2007 Interagency Statement on Pandemic Planning, which was in response to the H5N1 epidemic in 2006. This release seems to be part of a consistent pattern with all recent statements, they are reactive in nature and serve to put already existing expectations and best practices into the context of current events.

Pandemic events pose unique challenges to financial institutions. They don’t target infrastructure or technology-based interdependencies, but instead impact another critical asset; the employee. The only change since the 2007 statement is that many institutions are even more dependent today on third-parties for support and delivery of critical services. This makes evaluation of third-party Pandemic contingency planning more important now. Of course other areas have changed for the better. Electronic banking is more available (and more utilized) now than in 2006, so most customers have account access without having to physically access one of your branches.

Pandemic and your Business Continuity Strategy

As you evaluate your current BCM for Pandemic-related elements, the statement suggests your current BCM plan should provide for:

  • A preventive program
    • Monitoring of potential outbreaks
    • Educating employees
    • Communicating and coordinating with critical service providers and suppliers
    • Providing appropriate hygiene training and tools to employees.
  • A documented strategy to scale your response to the current 6-stage CDC framework:
    Coronavirus Chart
    • Plan on maximum absenteeism (as high as 40%) during the peak and immediately following the Acceleration phase (phase 4).
  • Specific facilities, systems, and procedures designed to provide continuation of critical operations in the event that large numbers of staff are impacted by the event.
    • Social distancing to minimize staff contact
    • Telecommuting
    • Redirecting customers from branch to electronic banking services
    • Conducting operations from alternative sites
    • Consideration for the impact of customer reactions and the potential demand for, and increased reliance on, online banking, telephone banking, ATMs, and call support services.
  • A testing program designed to validate the effectiveness of the facilities, systems, and procedures identified.
  • An oversight and update program to continually monitor and adjust your Pandemic program.

The Business Impact Analysis & Risk Assessment

As we mentioned in an earlier post, the new BCM Handbook eliminated the separate Pandemic section, but this statement makes it clear that regulators still expect institutions to assess Pandemic alongside all other reasonably foreseeable threats. Both your Business Impact Analysis (BIA) and your Risk & Threat Assessment should incorporate the potential effects of Pandemic. The BIA should take a non-threat specific approach to essential processes and functions, allowing you to identify interdependencies among critical operations, departments, personnel, services, and the processes and functions with the greatest exposure to interruption. Make sure you’ve included critical employees and third-parties in your impact analysis, and that the end result is a prioritization of business processes.

The risk assessment is where specific threats are identified, analyzed, and ranked according to impact and probability. The end result of this analysis should provide a listing of disruptive events by severity. Events with high impact and high probability are considered high severity and should receive top priority for resource allocation, and should also be tested more frequently. Pandemic is typically considered a low probability, high impact event, but during phases 3 & 4 may need have to have probability reevaluated. Doing so may result in a temporary assessment of high probability / high impact, allowing management to properly prioritize resource allocation in preparation for, and in response to, the Pandemic event.

Tests and Exercises

Finally, make sure to use the results of both the BIA and the risk assessment to inform your testing exercises. Make sure exercises validate your succession planning and cross-training by purposely excluding certain key individuals from active participation in the exercise. There will likely be a high reliance on remote access telecommuting during both the early stages (2 & 3) of the event, as well as the latter reactive stages (4 & 5). Have you identified employees with job duties capable of being performed remotely, and tested their remote access capabilities, including sufficient capacity, bandwidth, and authentication mechanisms? Do their remote access devices meet your current security standards, including AV/Anti-malware status and patch levels? Have you validated your call-trees and communication plans, including with critical third-parties? Are your employees versed in communicating a consistent message to customers during the event?

As of the date of this post, we’re somewhere between a phase 3 and phase 4. Financial institutions should use this Interagency Statement not just as a reminder of pandemic best practices, but as a clarion call to revisit their entire BCM and reevaluate all aspects of your resilience and recovery planning.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy